A Guide to COPPA Compliance When Using Third-Party APIs

Hoss@Hossapp /

Data Privacy Compliance Series: What Engineering and IT Leaders Need to Know

A Guide to COPPA Compliance When Using Third-Party APIs

As an engineering or IT leader, it’s critical to be aware of the data privacy and compliance requirements that come along with third-party API usage under the Children’s Online Privacy Protection Act (COPPA). If children aren’t your primary audience, you may not think COPPA applies to your business at first glance – but read on to learn how COPPA could be relevant to you and the easiest way to protect against potential violations.


COPPA is a federal law designed to give parents of young children (13 years old or younger) control over data collected from their children online.

What It Protects

COPPA protects any personally identifying information (like full name, address, contact information, geolocation information, screen names, etc.) about children under the age of 13. The law also applies to children outside of the U.S.

Why It Matters to You If You’re Consuming APIs

You are subject to COPPA if your website, business or app is either directed at children under 13 (like a children’s game or the website of a children’s movie) or collects and/or shares personal information from children under 13. (You can find more information about how to determine whether your business is directed at children here). So, even if your website targets a more general audience, but you have knowledge that you may collect or share data from children under 13, you’ll need to comply with COPPA.

When it comes to APIs, COPPA requires you to verify that third parties with whom you share personal information have reasonable practices for maintaining confidentiality and security and for preventing unauthorized use of children’s information.

The penalty for not complying with COPPA can be a $16,000 - $40,000 fine per child affected by the violation.

What You Need to Provide for Your Customers

  • The ability to consent. Under COPPA, anyone collecting information from children under 13 needs to get consent from a child’s parent before any information is collected.
  • The ability to specify how data is used. Parents have the right to consent to data collection for a website or business’s internal use only and prohibit the sale or sharing of the information to third parties, like APIs.
  • A record of information that has been collected about a child upon request of the parents, who can review these records or have them deleted at any time.

What COPPA Requires of Your Business

Businesses subject to COPPA are required to post a clear privacy policy and obtain verifiable parental consent before collecting any information from children. The law also specifies that personal information can only be retained for as long as absolutely necessary to fulfill its intended purpose before being deleted.

Three Things You’ll Need to (Easily) Comply with COPPA

  1. Visibility.

It’s critical to keep clear records of what data and information your business is collecting. If your business is directed at children under 13, these records will help you easily share or delete information upon a parent’s request and ensure that information is deleted when it is no longer necessary to retain. Further, if your business is not directed at children under 13, having clear visibility into what data you are collecting and sharing will help you verify that you either are not collecting information from children or that you do need to take steps to become COPPA-compliant.

  1. Data Policy Controls.

Setting up automated data controls will help you ensure that you are complying with parents’ requests to prohibit data sharing with third parties and that each piece of data is only being shared or stored according to COPPA requirements and parental requests.

  1. Monitoring.

Ongoing monitoring means you’ll be alerted immediately in the event of a possible COPPA violation. It’s a good idea even for companies that do not target children under 13 to monitor all data collection and sharing in the event that information is collected from a child or is mistakenly shared.

Hoss lets you track, tag and monitor all of your data processing activities with third-party APIs to help you protect your customers’ privacy and stay compliant with the CCPA as simply as possible. Get in touch to learn more.

Subscribe to Hoss ModeA weekly newsletter with curated articles, community discussions, news and trends.

A Guide to HIPAA Compliance When Using Third-Party APIs

Read more
Any company that comes in contact with a person’s protected health information – like a health plan, healthcare provider or healthcare clearinghouse - is required to develop HIPAA-compliant policies to protect that data. Further, protected health information can only be shared between parties that are HIPAA compliant - this includes third parties like APIs that might store or transmit protected health information on a company’s behalf.
If your business is using third-party APIs, you could face some unique data privacy and compliance challenges under the new CCPA law. As an engineering or IT leader, understanding those challenges is a critical first step to implementing proactive approaches to protect your customers’ privacy.
Back to blog

Copyright © Hoss Technologies, Inc. 2021 - All rights reserved. Terms of Service & Privacy Policy